Page tree
Skip to end of metadata
Go to start of metadata

Purpose

Describe the user mapping with SAP logon ticket functionality that is available in the Netweaver AS java with usage type Enterprise Portal

Overview

As described in Ticket issuing - UME properties a logon ticket issued by the AS Java usually contains two user IDs, the portal user and the R/3 user, the latter being the user that is read by ABAP systems when they receive the logon ticket. Normally the AS Java populates the R/3 user in the ticket with the logon ID used to logon to the AS Java and this leads to the constraint that the logon ticket can then only be used for SSO to systems where the logon IDs in those systems are the same as the logon ID of the ticket issuing system.

However if the Enterprise Portal is deployed on the AS Java this constraint can be overcome using user mapping. This involves mapping an ID against the user in the User Management Engine of the AS Java so that instead of the logon ID used to logon to the AS Java, the mapped ID is written into the ticket as the R/3 user. This allows SSO to take place to any system where the logon ID matches the mapped ID

User Mapping

User Mapping is only available in the Enterprise Portal environment and it is used for SSO to backend systems where the user IDs are different to those in the portal. It uses the portal System Landscape which is a collection of logical systems that represent an external, or back-end system or application, offering an easy way to connect to those systems or applications.

For each of these logical systems you can map a portal user to a user and password in the backend system, so that instead of the portal user being used for the connection to the backend system, the mapped ID is used. There are two types of user mapping possible, User Mapping with user IDs and passwords and User Mapping with SAP logon tickets

User Mapping with user IDs and passwords (aside)

When a portal user accesses some portal component that is configured to connect to a backend system or application using user mapping with user ID and password, the connection is made using the user ID and password that is mapped for that portal user in the portal system object that represents the backend system or application.

It is typically used for connections to systems that do not support logon tickets. The mapping itself can be configured in the User Administration UI or the Portal by an administrator user or by the portal user herself in Portal Personalisation. This is a different type of user mapping than User Mapping with Logon Tickets and is not discussed further in this document.

User Mapping with Logon Tickets – changing the R/3 user in the logon ticket

Normally a constraint of using logon tickets for SSO is that a user’s logon ID in the ticket accepting system is the same as that in the ticket issuing system. This is due to the fact that the logon ID in the ticket issuing system is written as the R/3 user in the ticket and it is this R/3 user that is always read by ABAP systems and usually by AS Java systems too, depending on the value of the UME parameter login.ticket_portalid

If Enterprise Portal is installed, user mapping functionality is available that allows a certain mapped ID different to the logon ID in the AS Java to be written as the R/3 user in the ticket. This is used for SSO to systems that accept logon tickets and the logon ids are different to those in the portal.

The role of the reference system

As part of the configuration of user mapping with logon tickets one system in the portal system landscape is chosen to be the ‘Reference System’. There can be only one reference system, defined by entering the alias of the chosen system object as the value of UME parameter ume.r3.mastersystem and the reference system should have ‘logonmethod’ attribute set to ‘SAPLOGONTICKET’.


Screenshot of a system object 3306_direct in the portal system landscape with alias r3_dir appropriately configured for user mapping


Using the configtool the system alias is entered as the value for the UME property ume.r3.mastersystem


Screenshot of the User Administration UI where for the reference system 'r3_dir' the portal user 'portaluser' is mapped to the user 'ABAPUSER' that exists in the backend system represented by the system object with alias 'r3_dir'

Enterprise Portal logon ID = portaluser
Reference system name = 3306_dir
Reference system alias = r3_dir
User in backend system represented by system object 3306_dir
For reference system 3306_dir user portaluser is mapped to ABAPUSER
When portaluser logs onto an application on the AS Java a logon ticket is created with
R/3 User = ABAPUSER
Portal User = portaluser

Each user that has an ID mapped against this reference system has the mapped ID written as the R/3 user in their logon ticket. This happens when the user initially authenticates on the ticket issuing AS Java and the logon ticket is created, not at some later point in time if and when there is a connection attempt that uses the reference system. In fact, it is not necessary that the reference system itself is used by a portal component to connect to a backend system or application in order for user mapping with logon tickets to work; it can be simply used to change the value of the R/3 user at ticket creation time.

This logon ticket containing a mapped ID can then be used to SSO to any system where the logon ID matches the R/3 user in the ticket even if the connection to those systems does not involve the portal environment, e.g. a JCo connection to some ABAP system or by manually entering the URL of the ticket accepting system in the browsers address bar.

However it is important to note that the reference system must a properly configured system object since when users define their user mapping, the UME checks the mapped user ID and password against the system represented by the reference system. If the credentials are not valid, the user mapping is not stored. This check can also occur when an administrator enters user mapping if the value of the UME parameter ume.usermapping.admin.pwdprotection is true

Related Content

Related Documents

Logon Ticket creation in AS Java

Accessing Back-End Systems with a Different User ID

Related SAP Notes/KBAs

  • No labels